SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
-
Upload
imperva -
Category
Technology
-
view
196 -
download
0
Transcript of SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
© 2015 Imperva, Inc. All rights reserved.
SecureSphere ThreatRadar Improve Security Team Productivity and Focus Pravin Rasiah, Sr. Product Manager, Web Application Security, Imperva Morgan Gerhart, VP Product Marketing, Imperva
© 2015 Imperva, Inc. All rights reserved.
Speakers
Confidential 2
Pravin Rasiah Senior Product Manager
Morgan Gerhart VP, Product Marketing
© 2015 Imperva, Inc. All rights reserved.
Hackers Exploiting Same Old Vulnerabilities
Confidential 3
Source: Verizon 2015 Data Breach Investigation Report
© 2015 Imperva, Inc. All rights reserved.
Hackers Exploiting Same Old Vulnerabilities
Confidential 4
“99.9% OF THE EXPLOITED VULNERABILITIES WERE COMPROMISED MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED.”
Source: Verizon 2015 Data Breach Investigation Report
Confidential 5
96% of applications
have vulnerabilities Source: Cenzic
6 Confidential
Confidential 7
Industrialized Hacking gives hackers extreme leverage
90% of security events
from known bad actors Source: Imperva
90% 60%+ of security events
from known bad actors of website traffic
is non-human Source: Imperva Source: Imperva
© 2015 Imperva, Inc. All rights reserved.
Example 1: Global Financial Services Firm
• Suspected it had a known bad traffic problem – Some visibility from feeds from other vendors – Way too much chaff/noise – No visibility into how this traffic was impacting apps – Only detection, no protection
Confidential 10
© 2015 Imperva, Inc. All rights reserved.
Example 2: SaaS Provider
• Security team overwhelmed by web events – 6 million per hour – Knew many/most from script kiddies, malware sources and maliscious IPs – But unable to filter, focus and prioritize noise from the truly worrisome
Confidential 11
© 2015 Imperva, Inc. All rights reserved.
SecureSphere ThreatRadar
Confidential 12
• Global Threat Intelligence Service
• Globally crowdsourced
• Curated by Imperva ADC
• Adds “gods-eye” context of threat landscape to WAF
© 2015 Imperva, Inc. All rights reserved.
SecureSphere ThreatRadar
Confidential 13
More productive, more focused security engineering team
Cut infrastructure costs Demonstrate better
security posture
© 2015 Imperva, Inc. All rights reserved.
Example 1: Global Financial Services Firm
• Suspected it had a known bad traffic problem – Some visibility from feeds from other vendors – Way too much chaff/noise – No visibility into how this traffic was impacting apps – Only detection, no protection
Confidential 14
© 2015 Imperva, Inc. All rights reserved.
Example 1: Global Financial Services Firm
• Suspected it had a known bad traffic problem – Some visibility from feeds from other vendors – Way too much chaff/noise – No visibility into how this traffic was impacting apps – Only detection, no protection
• ThreatRadar showed known bad was several times worse than suspected – 12 million events in last 6 months, 11 million filtered by ThreatRadar – Geographic reputation spotlighting potential state-funded/state-sponsored actors
• Today – 90-95% of protections utilize ThreatRadar – Business trusts SecureSphere (not worried about false positives/blocking legit traffic) – Less network traffic (behind the WAF, of course)
Confidential 15
© 2015 Imperva, Inc. All rights reserved.
Example 2: SaaS Provider
• Security team overwhelmed by web events – 6 million per hour – Knew many/most from script kiddies, malware sources and maliscious IPs – But unable to filter, focus and prioritize noise from the truly worrisome
Confidential 16
© 2015 Imperva, Inc. All rights reserved.
Example 2: SaaS Provider
• Security team overwhelmed by web events – 6 million per hour – Knew many/most security events from script kiddies, malware sources and malicious IPs – But unable to filter, focus and prioritize noise from the truly worrisome
• ThreatRadar showed – 10-30% of traffic was from known bad sources – 80-90% of security alerts associated with traffic from known bad
• Today – Filter and ignore the 80-90% that is known bad – Prioritize and focus on what is left – “that’s the really worrisome stuff” – Noticed some actors have “given up”
Confidential 17
© 2015 Imperva, Inc. All rights reserved.
More Focused, More Productive Team
Confidential 18
Eliminate the “noise” from known bad, and prioritize on truly worrisome
Before
© 2015 Imperva, Inc. All rights reserved.
More Focused, More Productive Team
Confidential 19
Eliminate the “noise” from known bad, and prioritize on truly worrisome
Before After
© 2015 Imperva, Inc. All rights reserved.
More Focused, More Productive Team
Confidential 20
Suspicious SQL Syntax
© 2015 Imperva, Inc. All rights reserved.
More Focused, More Product Team
Confidential 21
Suspicious SQL Syntax
vs.
Suspicious SQL Syntax + Know SQLi IP
© 2015 Imperva, Inc. All rights reserved.
More Focused, More Product Team
Confidential 22
Suspicious SQL Syntax
vs.
Suspicious SQL Syntax + Know SQLi IP
Increased WAF Accuracy
© 2015 Imperva, Inc. All rights reserved.
Reduce Infrastructure Costs
Confidential 23
Spam Marketing
Spamdexing: Reputation
Impact
Fraud
DDoS
Manual Reviews
Malicious Traffic
© 2015 Imperva, Inc. All rights reserved.
Reduce Infrastructure Costs
Confidential 24
Spam Marketing
Spamdexing: Reputation
Impact
Fraud
DDoS
Manual Reviews
Malicious Traffic Keep Forms Safe
Gain Backend Efficiencies
© 2015 Imperva, Inc. All rights reserved.
Reduce Infrastructure Costs
Confidential 25
10-50% OF WEBSITE TRAFFIC FROM
KNOWN BAD ACTORS
© 2015 Imperva, Inc. All rights reserved.
Reduce Infrastructure Costs
Confidential 26
10-50% OF WEBSITE TRAFFIC FROM
KNOWN BAD ACTORS
© 2015 Imperva, Inc. All rights reserved.
Reduce Infrastructure Costs
Confidential 27
10-50% OF WEBSITE TRAFFIC FROM
KNOWN BAD ACTORS
© 2015 Imperva, Inc. All rights reserved.
Reduce Infrastructure Costs
Confidential 28
10-50% OF WEBSITE TRAFFIC FROM
KNOWN BAD ACTORS
More efficient WAF Fewer logs entries Less disc needed
Fewer events to SIEM
© 2015 Imperva, Inc. All rights reserved.
Globally Crowdsourced
Confidential 29
Malicious IPs Phishing URLs
Anonymous Proxy
ToR IPs
Comment Spam IPs
RFI IP Forensics
SQLi IPs
Scanner IPs
Scraping BOTS
Credit Card Cycling
Registration BOTS
© 2015 Imperva, Inc. All rights reserved.
Demonstrate Better Security Posture
• Who’s on your network?
• Who’s trying to get on your network?
• Where are they coming from?
• How are they attacking?
• How effectively are you mitigating “known bad”?
Confidential 31